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BY DON ROTOLO,* N2IRZ 


Data Encryption is Legal! 


out we've been able to do it any time we want- 

ed to. Data encryption for our intended pur- 
poses /s already permitted under Part 97 of the 
FCC rules. We just hadn't realized it. Read on for 
the details. 

Data encryption has been a hot topic for some 
time in the digital community. We discussed both 
sides of the issue in the past two columns. In this 
month's column we'll be putting the topic to rest, 
once and for all. 

The basic point is that our ham bands are not 
meant to be secure against casual listening. How- 
ever, when we are providing communications for 
some agency or organization, such as for disas- 
ter relief, those agencies have some expectation 
of confidentiality. Information about people, as 
well as movement of supplies and resources, is 
not meant to be heard by the general public. Un- 
licensed Part 15 users are afforded the opportu- 
nity to encrypt this information to protect privacy, 
so why not Part 97 users? 

Until now, the “common wisdom” has been that 
Section 97.113(a)(4) of the FCC rules, which pro- 
hibits “messages in codes or ciphers intended to 
obscure the meaning thereof, except as otherwise 
provided herein...,” made it illegal for hams to 
encrypt any information that wasn’t specifically 
exempted, even passwords to prevent non-ama- 
teurs using Part 15 devices on shared frequen- 
cies from accessing Part 97 networks, even 
though another paragraph of §97.113, paragraph 
(e), says that except for a few specific exemptions, 
“No station shall retransmit programs or signals 
emanating from any type of radio station other 
than an amateur station...” 

Paul Toth, NA4AR, a member of the ARRL’s 
High-Speed Multimedia (HSMM) Working Group, 
a former ARRL Section Emergency Coordinator, 
and a recipient of the 2005 NOAA Environmental 
Hero award for his volunteer amateur radio work 
at the National Weather Service office in Ruskin, 
Florida during the 2004 hurricanes, posed some 
arguments for allowing limited encryption, which 
are excerpted here: 


| ust like Dorothy returning to Kansas, it turns 


Commercial Part 15 operations have brought with 
them many benefits to society. Wireless networking has 
enabled greater use of the Internet and the volumes of 
information that are available there ... IEEE 802.11 
devices, wireless telephones and dozens of other types 
of unlicensed, Part 15 radio emitters have become so 
pervasive they now number in the tens of millions. And 
that is just in the United States. 

802.11 Wireless Access Points (WAPs), by default, 
are configured to act as repeaters. Most of these Part 15 
WAPs are equipped with security features that comply 
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with IEEE standard 802.1x to limit access. When 
enabled, these 802.1x security features will repeat only 
those operators whose stations meet the encrypted 
access authentication criteria programmed into the WAP. 
Part 15 operators are free to use 802.1x security as well 
as WEP and WPA to limit access to their WAPs. Amateur 
Radio operators operating WAPs under Part 97 rules 
without encryption switched on are likely to violate 
97.113(e) by inadvertently re-transmitting Part 15 sig- 
nals. But 97.113(a)(4) prohibits encryption. 

Two years ago, before Charley, Ivan, Katrina, Rita, 
Wilma, and the other hurricanes that made landfall in 
the US in 2004 and 2005, the ARRL Board voted unan- 
imously to petition the FCC for a rules change on encryp- 
tion. The proposal sought to legalize the use of “indus- 
try-standard security and encryption protocols” for 
domestic communications on all bands above 50 MHz. 
Such a change in the rules would allow amateur oper- 
ations to utilize spectrum shared with commercial oper- 
ators without fear of violating 97.113(a)(4) or 97.113(e) 
and address the growing need for secure disaster re- 
sponse communications. However, at its January 2006 
meeting, after hearing a report from ARRL General 
Counsel Chris Imlay, W3KD, on “the background for and 
implications of moving forward with” filing such a peti- 
tion, the ARRL Board effectively rescinded its earlier 
motion, voting “to relieve the General Counsel of the 
requirements” to seek a rules change on this matter. 
Meanwhile, FEMA and the Department of Homeland 
Security have sought out organizations like Part15.org 
to explore emergency communications contingencies 
on frequencies licensed to the Amateur Radio Service. 

No one is suggesting relocation of Part 15 users to 
other radio spectrum. Hams, of course, are just as free 
to operate an 802.11 or 802.16 station under Part 15 
rules as are non-licensees. But why should we? After 
all, we hold licenses to operate on these bands. That 
license is supposed to afford Amateur Radio operators 
priority as well as the privilege of operating with higher 
transmitter power than Part 15 operators. What is hold- 
ing hams back are antiquated rules written without 
recognition of the mixed spectrum utilization now in 
place. A change in the rules to permit the use of indus- 
try standard security and encryption protocols on 
domestic transmissions can, once again, open these 
bands to those who hold a license to use them. 


After reading Paul's comments, we at CQbegan 
some follow-up work to try to tie up loose ends. 
The result was that a variety of strings began to 
come together, leading to the conclusions pre- 
sented here. My thanks to Paul for his willingness 
to share his thoughts and keep the issue on the 
table long enough to get the ball rolling. Let's 
review Paul’s basic points and how they led to a 
rather startling conclusion: 


It’s Been Legal All Along! 


Note: The following was developed from a series 
of discussions, both public and private, with 
numerous hams, including some with authorita- 
tive knowledge on these matters who asked not 
to be quoted at this point, as the discussions were 
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still ongoing. It started with Paul’s com- 
ments above and reaches the conclu- 
sions below. While it would be impos- 
sible to acknowledge everyone 
involved, much of the credit goes to the 
members of the High Speed Multimedia 
(HSMM) Working Group. 

Paul’s primary point in advocating 
encryption under Part 97 is the need for 
network security, which is to prevent 
non-hams from accessing amateur 
equipment (inadvertently or on pur- 
pose), which could result in a violation 
of the FCC rules. His conclusion is that 
some encryption is absolutely neces- 
sary for amateurs today. Also, as Paul 
stated two years ago, the ARRL Board 
of Directors agreed that it was a good 
idea to petition the FCC to permit limit- 
ed data encryption. The digital and 
emergency communications communi- 
ties had convinced the directors that 
such an action would further the Ama- 
teur Radio Service. What, then, 
changed their minds in 2006? 

Well, it turns out that there’s no need 
for a petition because there’s nothing 
in the rules preventing the use of 
data encryption for the purposes 
we’re discussing, specifically protect- 
ing the network from unauthorized intru- 
sion and usage, as well as the more 
general purpose of supporting emer- 
gency communications while maintain- 
ing the privacy of disaster victims—both 
in actual emergencies and in practice 
drills. (That last bit is important: While 
the emergency communications ex- 
emption in 97.401(a) essentially sus- 
pends all the rules when necessary, 
drills are not an emergency, and it is 
absolutely essential to practice with a 
system regularly if you expect it to work 
when there is an emergency.) 


Network Security 


First, let's discuss network security. 
What we're trying to accomplish here is 
to prevent outsiders from accessing the 
network, as required by 97.113(e) and 
implied in 97.105 and elsewhere. If this 
can be accomplished with a password, 
then there is nothing in the rules pre- 
venting us from encrypting that pass- 
word. | compare that to keeping the con- 
trol codes for a repeater secret: It is clear 
to anyone monitoring as to who is trans- 
mitting and the general purpose of the 
transmission, so the exact password that 
is being transmitted is not that important. 

However, more than a password is 
needed to secure an 802.1x network. 
WEP (Wireline-Equivalent Privacy), for 
example, prevents anyone not using the 
proper key from associating with the 
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WAP (Wireless Access Point). That 
means if we enable WEP, we are effec- 
tively preventing Part 15 users from 
accessing—inadvertently or on pur- 
pose—a network operating under Part 
97 rules. 


The Purpose is What Matters 


The key here is that the purpose of 
encrypting is notto obscure meaning. It 
is to secure the network from unautho- 
rized access. Let’s take a look at 
Section 97.113(a)(4) again, which 
states that no amateur station shall 
transmit “... messages encoded for the 
purpose of obscuring their meaning....” 
The key word here is purpose. This rule 
is not regulating a method or practice; 
it regulates a purpose or intent. 

For the communications purposes we 
are discussing—network security and 
access control, emergency communi- 
cations, and practice for same—our 
purposes in using encryption are the 
security of the network and the privacy 
of third-party information. In either case, 
the purpose is not to obscure meaning. 
We have to assume that the rules were 
written very carefully, and they mean 
what they say. It might seem kind of odd 
that the rules deal with intent, rather 
than practice, but they are what they 
are: If the purpose of encryption is 
not to obscure meaning, then it is 
permitted. This carries over to any 
encryption method, on any frequency, 
including HF. 

The FCC’s main concern is knowing 
who transmitted a particular signal. 
Then, if there are problems or ques- 
tions, the Commission would know 
whom to contact for more information. 


Caveats 


Well, there’s no such thing as a free 
lunch. Of course, there are limits to how 
we carry this out, both operationally and 
from a practical standpoint. 

The first caveat is that nothing re- 
lieves amateur radio operators from the 
requirement to identify their stations, at 
least every 10 minutes and at the end 
of each contact. With 802.1x gear the 
simplest method is to set the SSID to 
your Callsign. If you use something dif- 
ferent, you may need to work out some 
other methods to accommodate what- 
ever system you decide to use. 

The second caveat is that you still 
need to comply with Section 97.309 
(a)(4), which states that “An amateur 
station transmitting a RTTY or data 
emission using a digital code specified 
in this paragraph may use any tech- 
nique whose technical characteristics 


have been documented publicly....” 
Whatever encryption methods you use 
—WEP, WPA, WPA2, or whatever—it 
must be publicly documented. Please 
note that this specifically means the 
encryption algorithm, not the encryp- 
tion key. Making the key public is no 
security at all! 

The third caveat is that you should 
probably refrain from attempting en- 
crypted communications with other 
countries, since their FCC-equivalents 
may not permit it. Atthe very least, tread 
carefully here. 

Finally, it would be good amateur 
practice to document the encryption key 
being used in your station logbook, and 
perhaps also a general characterization 
of the purposes for using encryption. It 
would also be good practice, particu- 
larly in a real emergency, to maintain 
copies of transmitted messages for pos- 
sible future FCC inspection. Most e-mail 
programs do this automatically, unless 
you turn off the feature. It would be best 
to leave it on. 


HSMM Leads the Direction 


By the time you read this, the HSMM 
Working Group will have posted some 
new guidelines for the use of encryption 
on amateur frequencies. While this was 
still pending as | write this (mid-June), 
an update was expected by July. Have 
a look at the League’s website for the 
latest news. 

Again, my thanks to Paul Toth, 
NA4AR, for continuing the debate on 
encryption in the ham bands, and to all 
those | spoke with, especially those on 
the ARRL’s HSMM WG, for the lively, 
spirited, and very intelligent discussion 
of this month's topic. The members of 
ARRL Board of Directors, even if you 
might not agree with everything they do, 
should certainly be thanked for their 
work to reach this point. This didn’t hap- 
pen in a vacuum, and it is only through 
the hard work of many that the amateur 
community can now celebrate the best 
possible outcome for this debate: It’s 
been legal all along, so go out and have 
fun and/or provide the emergency com- 
munications services your community 
needs and that ham radio has tradi- 
tionally been able to offer. 

Finally, | thank everyone who takes 
the time to write to me with comments, 
suggestions, ideas for future columns 
and yes, even complaints. We're used 
to two-way communications, and this 
column isn’t any different. See what it 
did this month? 

Until next time... 

73, Don, N2iRZ 
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